Let's Phish!
See end of article for an update related to recent attacks...
Who do you trust?
No, this isn't a reference to the new Ghostbusters 3 film. Although now you mention it, it does look to be pretty epic!.
Most of us know the reasons. Whether it's the constant revelations from the leaked NSA and GCHQ documents by Edward Snowden, or the migration to HTTP/2, SSL is literally everywhere.
Secure Sockets Layer (SSL) or, Transport Layer Security (TLS) as it is now known, is the means by which all of our communications are kept secure over the internet. The chances are you're using SSL now to view this post (see that green padlock by the https:// link in the browser address bar?). SSL really brings two core elements of security together: privacy and trust. The cryptography used by SSL keeps our messages private so that the bad guys aren't able to see our bank details or steal our passwords. But the trust part is equally important. What's the point in hiding our communications if we can't be sure of who we're actually talking to? I may have typed www.garudax.id in to my browser, but how do I know that attackers are silently redirecting my traffic to a malicious site?
This is where SSL certificates come in.
Security on the internet is founded on transitive trust. I don't necessarily trust the LinkedIn website because, frankly, anything could be happening to my 1's and 0's as they find their way around the internet. But what I do trust, implicitly, are the certificate authorities (CA's). Along with DNS, these CA's form part of the backbone of the internet without which the web would immediately stop being a useful forum of commerce and open and free discussion.
Any organisation or person (the 'Website' in our picture, above), legitimate or otherwise, can request an SSL certificate (for a fee) from a certificate authority. The organisation in question then uses this certificate to secure their website and prove to the visitor (the 'User') that they are who they say they are.
Our web browsers (Chrome, Firefox, Internet Explorer, etc.) also come with different certificates already installed. Without having to do anything your web browser will automatically trust any certificate that a CA has created. I can now trust www.garudax.id since the LinkedIn website certificate was created by a CA that my browser already knows about and trusts. This is the transitive trust model.
- I trust the Certificate Authority
- The certificate authority trusts Website A to which it's given a certificate
- Ergo, I trust Website A too
This is actually a really great model and allowed the world wide web to explode and meet its true potential.
This trust, however, can sometimes be broken. Occasionally for the good of the user but frequently to exploit website users and steal their credentials and commit fraud. As you may already be able to imagine from our diagram and description of trust what happens if the CA or the certificate is not trustworthy? As a user you very often have very little visibility, let alone control, over who and what your web browser will blindly trust. There have been many reports of Certificate Authorities becoming compromised and issuing certificates to malicious website owners.
Here's a look at some of the existing 'root' Certificate Authority certificates already installed in your browser. This example computer shows 315 certificate authorities are installed. That's a lot of people to trust! Any certificate created by one of these CA's is automatically trusted by your browser:
But our trust (or lack of it) with CA's doesn't even need to be compromised for us to become the target of a successful attack on a 'secure' website.
Credential Theft
One of the many way that attackers will look to exploit users, steal data and commit fraud is through theft of their credentials. One of the easiest ways to do this is a technique called 'phishing'. Attackers will clone a legitimate website, let's stick with LinkedIn, and set it up and running on their own server or maybe even make use of a public cloud such as Amazon AWS. So now they have a copy of LinkedIn (or, more frequently, just a login page). But how do they get unknowing users to their site to steal log in credentials? The first part is to register a website domain. In our example we might pick www.l1nked1n.com which simply replaces the letter 'i' with the number 1. At first glance it's difficult to see any difference with the legitimate LinkedIn address.
The next step for the attacker is to get an SSL certificate for their new, fake, website. After all, they want to keep you safe (!) and you it may arise suspicion if you go to a site believing it is LinkedIn but does not have a secure connection. Once they purchase and install their certificate on to their webserver the phishing may begin:
Users are typically driven to the malicious website via phishing emails, such as the one above. It's all to easy for us to click on links without really seeing where we are going.
Since our attackers have stumped up a little cash to purchase and install an SSL certificate, we still need a nice secure padlock when we go to the fake site:
So we enter our login credentials, they get stolen, and we subsequently lose control of our account or, potentially, a lot of money if this happens on a banking site.
At this stage it's important to realise that phishing sites tend to only remain on-line for a days (or even hours) at a time. The cloning, hosting, credential theft and take down of the sites is very rapid.
letsencrypt.org
Until very recently acquiring a certificate from one of the large certificate authorities would set you back some hard earned (or stolen) cash. Things have changed, however, and we are now able to get free certificates from a number of suppliers such as StartSSL. The process still involves a great deal of manual effort to sign up, become 'verified' (I use the term loosely), and get your free certificate.
Let's Encrypt is a fantastic new initiative which is designed to remove a lot of the manual effort and cost from basic SSL certificates. They introduce a new Certificate Authority to the world and a new automated process for websites to talk directly to its CA, request a certificate, and install it for immediate use.
This is a great service that will make it easier for everybody, from large enterprises and home users, to get started and protecting their own web services. SSL certificates can be requested, installed and in use within seconds.
And when I say everybody, of course, I also mean our fraudsters. No longer will they be required to potentially wait for hours or days for a new domain to be verified so that a certificate to be issued.
"That's okay" you say to yourself, "I will just make a choice not to trust the new Let's Encrypt certificate authority".
Unfortunately it's not as simple as that. To make introduction of a new CA on to the web as seamless as possible it is "cross signed" with another CA which you already trust. In this case, by the DST Root which is owned by IdenTrust (a large and popular CA). The end result is that you now already trust the letsencrypt.org CA whether you want to or not since you trust the CA that signed the letsencrypt.org certificate! Essentially, you really have very little choice in the matter.
And here lies the big issue of trust on the internet. The 'public-key infrastructure' model of trust is absolutely essential to the workings of the world wide web. And letsencrypt.org is a really important initiative to provide wider and more freely available security to everybody. But, as with everything it seems, what is useful for some can be exploited and used for evil by others.
How to protect corporate users
For organisations to protect their staff when browsing the web there are, thankfully, some pretty easy methods to spot and block phishing sites. By far the easiest is to use a SWG (Secure Web Gateway) to scan all of the website addresses that users visit. You may think that your organisation just likes to spy on what you're spending your time on during your lunch hour but, in truth, they're just trying to keep you safe. That and spy on you at lunch.
A SWG should provide the organisation with a real-time list of known good websites. "Why is this useful", you say, "when I want to know about the bad stuff out there!?". Well, it's quite simple. The SWG should simply block access to websites it either knows are bad or any it has never heard of. So our fake phishing site that has been set up merely hours ago on a random address will simply be blocked since it is unknown.
How to protect yourself
So how can you protect yourself when you're browsing the web at home without the protection of a SWG product? Well there's really not a great deal you can do except be vigilant to the sites you are visiting. Not blindly clicking on links in an email (even when they look genuine), paying attention to the website address you eventually get directed to and not using open or untrusted WiFi hotspots are some simple means to stay safe.
There is something else that you can keep an eye out for, however, that may also help keep you that bit safer:
Types of SSL Certificates
You may have already subconsciously noticed, in roaming around the internet and doing your on-line banking, that there different types of SSL certificates. The two most relevant are the basic certificates we which have, as discussed above, become cheap (even free) and automated with very little required to prove who an entity or website is. These are called DV (Domain Validation) certificates. They provide security (through encryption) but they really only prove that you are indeed talking to the website that you typed in to the address bar in your browser. They prove nothing about the people or legitimacy of a website. A DV certificate will show a secure padlock and, usually, some other indication that the site is encrypted (such as the green 'https:' text in the address bar):
EV (Extended Validation) certificates take trust much further. In requesting an EV certificate an organisation must talk to people working within the Certificate Authority. These people can vet the company and asses the claim they have over a domain and web service. Websites that clearly share a less than accidental similarity to a legitimate site will not get by the human verification phase. EV certs usually carry the name of the verified organisation after the padlock icon in the address bar:
Let's stay safe
There's no doubt that letsencrypt.org, along with other CA's who will start providing a similar service, is an important and incredibly useful step to better securing the web. However, I worry that the automated and free issuance of SSL certificates will start to reduce their value with regard to the 'trust' aspect of security. Thankfully, however, we do have something else up our sleeve. EV certificates must now become the new norm for organisations and websites that want users to believe that they take their trust and security seriously.
Update (2016-10-12): the recent exploit of vulnerabilities on backend payment systems, such as MageCart, has only proved the existence of LetsEncrypt certificates in live attacks.
I will be writing another article on this topic soon, but short term mitigations to investigate are:
- Use of Extended Validation certificates and educating users to look out for them
- Use of Certificate Transparency logs
- Inserting CAA records in to your DNS entries to limit which CAs can generate certificates on your behalf
Nice post !